More than 40 percent of the world’s spam is coming from a single network of computers that computer security experts continue to battle, according to new statistics from Symantec’s MessageLabs’ division.
The Rustock botnet has shrunk since April, when about 2.5 million computers were infected with its malicious software that sent about 43 billion spam e-mails per day. Much of it is pharmaceutical spam.
Now, about 1.3 million computers are infected with Rustock, and the botnet is making up for its decreased size with increased volume, said Paul Wood, a MessageLabs intelligence analyst with Symantec. Those infected computers — most of which are in North America and Western Europe — are collectively sending around 46 billion spam e-mails per day.
The reason for the drop in infected computers could be due to a number of factors, Wood said. Those computers’ antivirus programs may have detected the infections or the people controlling Rustock could have lost the connection to those computers for various reasons.
The computers infected with Rustock have also stopped using TLS (Transport Layer Security), an encryption protocol used to securely send e-mail. Spammers were believed to encrypt their spam using TLS because it was harder for other network equipment to inspect the traffic and figure out if it was spam, Wood said.
But sending e-mail using TLS required more resources and was slower. “It would seem that the botnet controllers, especially those behind Rustock, have perhaps realized that the use of TLS gave them little or no discernible benefits and instead impeded their sending capacity owing to the additional bandwidth and processing overhead needed for TLS,” the report said.
Rustock has proved to be a robust botnet. It was nearly killed off when McColo, an ISP in San Jose, California, was cut off from the Internet in November 2008 by its upstream providers. McColo had hosted the command-and-control servers for several botnets, including Rustock.
But Rustock’s operators were able to switch the command-and-control servers when McColo briefly regained connectivity again before finally being shut off, which has allowed it to run for nearly four years now.
Many factors are behind the resilience of botnets such as Rustock and Kneber — uncovered earlier this year.
In Kneber’s case for instance, multiple infections by different malware on the same host worked together as a sophisticated mechanism to give all the malware a better survival rate.
Apart from its sheer size< — 74,000 compromised computers in 2,400 different companies — the way Kneber interacted with other malware networks suggested a symbiotic relationship that ultimately made each botnet that much more resistant to being dismantled, said Alex Cox, the senior consultant in the research department at NetWitness who discovered Kneber.
Kneber was built using a well-established toolkit for aggregating botnets called ZeuS that has been around for years. Kneber is an example of just one botnet built with the toolkit, but because Cox captured 75GB of log data from the command-and-control server, he was able to examine detailed characteristics of the computers ZeuS took over.
He found more than half the 74,000 compromised computers — bots — within Kneber were also infected with other malware that uses a different command-and-control structure. If one of the criminal networks were disabled, the other could be used to build it up again,
“At the very least, two separate botnet families with different [command-and-control] infrastructures can provide fault tolerance and recoverability in the event that one [command-and-control] mechanism is taken down by security efforts,” he said in his written analysis of the Kneber botnet.
In this case, more than half the machines that made up the botnet were infected with both ZeuS, which steals user data, and Waledac, a spamming malware that uses peer-to-peer mechanisms to spread more infections, he says.